5

STATEMENT OF THE HEALTH CARE EXECUTIVES

Health systems, health plans, public health agencies, and biopharmaceutical companies are all driven by the desire to improve health outcomes for patients. These organizations are also well positioned to leverage data sharing for improved patient outcomes and safety, clinician satisfaction, and overall system performance. However, a variety of concerns impede the sharing of health data by health delivery organizations and pharmaceutical and insurance companies.

This statement describes key barriers and solutions for leveraging and sharing health data from the perspective of the health care executives working group (see Box 5-1).

CONCERNS AND BARRIERS

From the perspective of the stakeholder group representing health care executives, the key concerns and existing barriers to advancing data sharing, linkage, and use can be divided into four categories: (1) financial/operational barriers, (2) cultural barriers, (3) regulatory barriers, and (4) policies/procedures barriers.

FINANCIAL/OPERATIONAL BARRIERS

Many health delivery organizations and pharmaceutical and insurance companies believe that data sharing could be detrimental to the interests of organizations that share data. Even if sharing data is favorable to those who receive the data and to the community as a whole, organizations have concerns that data sharing will result in the loss of competitive position and that others will use shared data to achieve competitive advantage or other financial gains.

Limited information on the expected return on investment of data sharing exacerbates these concerns (Deloitte, 2018). In addition, the costs of implementing systems that allow for seamless, secure, and reliable data management and sharing are high (Sittig and Singh, 2011), and the U.S. health care system’s fee-for-service paradigm offers little incentive for data sharing. However, the value of data sharing is evident in the billion-dollar valuation of several health analytics companies.

CULTURAL BARRIERS

Physicians and physician organizations can be skeptical of efforts to publicly report data on physician performance and develop interventions for improving performance based on those data (Stone and Sullivan, 2007), even though sharing performance data can lead to effective and improved care processes (Glasgow et al., 2018). Even while patients have always had the legal right to access their data, health care executives may also be reluctant to institute web-based portals that share health data with patients because they are concerned that patients will be overwhelmed with trying to manage and understand their own health data. However, experiences with the OpenNotes project have dispelled such fears, and the service has been strongly endorsed as a safety measure.

Additionally, health systems may withhold free-text clinical notes from patients due to concerns about releasing sensitive information or receiving numerous questions from patients about or requests to amend their health records.

Health care executives may also fear reputational loss resulting from a data breach. More generally, data sharing is a coordination problem in which no one wants to bear the risk and burden of going first without others also embracing data-sharing policies and practices.

REGULATORY BARRIERS

Data governance lacks a centralized structure and agreement on a data stewardship model, which acts as a disincentive for organizations that are interested in data sharing.

POLICIES/PROCEDURES BARRIERS

Confusion surrounds the issue of who bears responsibility for collecting consent and what consent forms should cover (Goldstein and Rein, 2010). In addition, general consent for treatment at most health systems does not clearly and simply convey to patients how their data may be used or sold, even if the data are de-identified.

More generally, patchwork policies result in a lack of understanding of what types of data can and cannot be shared. While the Health Insurance Portability and Accountability Act (HIPAA) protects clinically generated data, consumer-generated data lack protection (Bailin, 2019). With the rise of health care data breaches and the lack of comprehensive data protections in the United States, hospitals and health care executives are leery of the risks of data sharing, including the financial and criminal penalties associated with data breaches.

PRIORITIES AND ACTION STEPS

From the above description of concerns and barriers, the stakeholder group representing health care executives has prioritized three major barriers that need to be addressed to facilitate widespread data sharing. When prioritizing the barriers, the workgroup members considered which barriers represented the most significant issues preventing widespread data sharing and linkage to improve patient care and which could be either wholly or partially addressed in the next 2 to 3 years. Some of these priority barriers combine several of the themes from the previous section.

1. Misaligned incentives, including financial and security risks

The risk equation for data sharing needs to be rebalanced. So long as companies see the risks of data sharing as outweighing the potential gains, they will resist taking action. Today, insufficient data exist to demonstrate that data sharing results in savings to individual consumers of health care, yet a continued lack of data sharing will forego a wide array of insights into how better care can be provided for population health management.

An action step achievable within 2 to 3 years to begin to address this issue would be to specify and quantify the actual risks and value of sharing data while also clearly specifying the risks of not sharing data. For example, the criminal and financial penalties associated with data breaches are a significant impediment to data sharing (Palabindala et al., 2016). A possible solution would be to institute policies absolving companies that follow the rules from responsibility for data breaches. The state of Massachusetts is currently considering proposed regulations that would accomplish this. In some states, malpractice judgments can depend on whether an organization has violated community standards, which would require specifying community standards to ameliorate potential risks.

Identifying incentives to sharing data among different stakeholder groups would allow resources to be pooled to tackle the problem. Much can be learned from successful examples of data sharing in the research community, such as the work of PCORnet^®, the Health Care Cost Institute, and several pharmaceutical companies (Curtis et al., 2014; Ross et al., 2018). An action step would be to learn from other industries that have adopted data standardization and sharing practices, such as the airline industry’s e-ticketing processes. Another solution could be to build on successful efforts and increase provider and payer participation in health information networks to promote broader interoperable exchange.

As payment models move from volume to value, there are increased incentives for health systems to share rather than only retain data. Several large integrated health systems such as Geisinger, Intermountain Healthcare, and Kaiser Permanente have taken steps in this direction. However, smaller health systems may lack the resources to make such changes without significant reforms to the current payment model. An action step toward this goal would be to establish a forward-thinking pilot group among payers and health systems to facilitate trust between parties and develop a case for data sharing. This is already under way with BlueCross BlueShield of North Carolina partnering with five regional health systems to offer a value-based model of care called Blue Premier (BlueCross BlueShield of North Carolina, 2019).

Another approach to ameliorate risks to companies would be to give patients control of how their data will be shared and the ability to audit data rights over time and as data move through the system. In this regard, companies that act as intermediaries to obtain and share patient data have already been established. Paying patients to share data or establishing patient-mediated data exchanges are additional options. An immediate action step would be to improve the consent process so that patients are better informed about how their data will be used and what the expected outcomes of that use are. One way to protect patient data may be to use blockchain as a mechanism to capture consent preferences at a national level (de Sousa and Pinto, 2019).

2. The financial costs associated with sharing data

Although data sharing is beneficial to the community, health systems are reluctant to invest the large amounts of capital and time required for building and maintaining the infrastructure for data sharing when the return on investment for such sharing is largely unknown.

An overall goal is to change perceptions about the selling and purchasing of data by emphasizing their value to society and by making it a standard practice and priority to share curated data with trustworthy organizations. A specific action step is to reframe the business case for data sharing by not only qualifying and quantifying the value of sharing data but also enumerating the financial, human, and organizational integrity costs of not sharing data. The National Academy of Medicine, with support from the Patient-Centered Outcomes Research Institute, the Agency for Healthcare Research and Quality, or the National Library of Medicine, would be in a good position to conduct such research, though the analytical methods for such a study would need to be developed carefully.

Another goal is to decrease the costs associated with data sharing by creating a widely available infrastructure and robust government stimulus for the development and adoption of technology. One step toward this goal would be to decrease costs by specifying an operating model that would distribute the expense for a shared infrastructure and standardize the data models used for data aggregation. Another action step would be to weigh the impacts of data sharing against the costs—for example, how could data sharing improve medical device safety or inform payer risk assessments? Prior to taking these steps, however, efforts need to be undertaken to create an inventory of prioritized use cases for data sharing by clarifying what kinds of data different groups are trying to access and for what purpose and to learn from case examples of successful health information exchanges.

Implementing national and federal registries could mitigate costs while providing organizations with a safe harbor for data sharing. An action step is to highlight existing safe harbor or “safe lane” constructs and to develop new safe harbor frameworks that would mitigate risks.

Adopting a common data model could optimize the transfer, importation, and utility of data. An action step is to build on the work of the U.S. Core Data for Interoperability Task Force in developing a standardized set of health data classes and constituent data elements for a nationwide, interoperable health information exchange (ONC, 2020a). By and large, utilizing the momentum of existing efforts solves the aforementioned coordination problem and obviates the need to generate buy-in from key stakeholders.

3. Potential harms associated with the loss of competitive advantage and with the sensitivity of information

A significant barrier to data sharing is the perception that data transparency risks revealing information on comparative performance, cost structures, utilization, or contractual arrangements among hospitals, payers, and suppliers. Organizations also fear that data sharing will have harmful unintended consequences. For example, while patient-directed sharing is important, health systems worry about bearing liability for the misuse that might happen when patients share data with third-party entities. Unlike health systems, which have to abide by HIPAA, third-party app companies are not covered by HIPAA. However, health systems to some extent share operational data for benchmarking, and pioneering organizations such as the Cleveland Clinic have seen gains in patient satisfaction and throughput by publicly posting physicians’ respective quality performance data (Lee and Cosgrove, 2014).

Toward the longer-term goal of establishing trust between data providers and data users, an action step is to create a common foundation of policies and practices—a “code of conduct” for data sharing and use. Such a code should contemplate a broad range of use cases independent of technology—examples are the Trusted Exchange Framework and Common Agreement (TEFCA), the New York eHealth Collaborative (NYeC) Statewide Health Information Network policies, Carequality Trust Framework, and CARIN Alliance code of conduct (Carequality, 2019; CARIN Alliance, 2019; NYeC, 2019; ONC, 2019). Depending on the type of data and use case, different parties could serve as a coordinating entity for such a code.

The research community has also been active in this space, particularly as it relates to genetic result sharing. The All of Us Research Program adopted a

detailed data security framework as well as a set of privacy and trust principles developed by the Precision Medicine Initiative that could also serve as models (NIH, 2019). The Clinical Sequencing Evidence-Generating Research (CSER) consortium is another entity that has best practices around return of results (CSER, 2020). Carequality, a private-sector initiative, supports a nationwide trust framework that enables providers who participate in different health information networks to access and share health information (Carequality, 2019). Another action step is to forge national collaborations among health systems, clinical registries, and researchers to determine how data will be used. Existing networks could be used to leverage such collaborations, such as the Food and Drug Administration’s (FDA’s) Sentinel Network, the eHealth Exchange, or PCORnet^® (FDA, 2018; ONC, 2015; PCORnet^®, 2013). A related action step is to delineate the rights and responsibilities of different actors for thoughtful stewardship of health data.

A longer-term goal is to make data available through enclaves that allow for distributed analysis of data without taking possession of those data (this approach is also a solution to Priority Barrier 2: The financial costs associated with sharing data) (Platt and Lieu, 2018). An action step toward this goal is to define what is meant by data enclaves and what the role of the federal government should be in establishing data safe harbors.

As a variation on data enclaves, where data are allowed for use while being walled off and protected, Massachusetts shares mimic datasets containing de-identified intensive care unit data with organizations that want to do research. Competing organizations are able to access each other’s data as long as they have institutional HIPAA training and common institutional review board approval.

COMMON ISSUES

Several potential solutions could affect all three prioritized barriers. A longer-term goal is to convert private data into a public good so that these data can have widespread benefit. One possibility is anonymizing data so that, paradoxically, information belongs to everyone and to no one, which is an approach that Finland is taking. A related longer-term goal is to implement the federal mandate for data sharing instituted by the 21st Century Cures Act.

To that end, a shorter-term action step that will certainly make a difference is the implementation of the Centers for Medicare & Medicaid Services’ (CMS’s) Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of

Qualified Health Plans in the Federally-Facilitated Exchanges and Health Care Providers and The Office of the National Coordinator for Health Information Technology’s (IT) (ONC’s) 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program released in March 2020. These two final rules provide much needed guidance on interoperability and data blocking. In their proposed state, they have been endorsed by all of the past National Coordinators for Health Information Technology, patient advocates, and relevant entities such as the American Academy of Family Physicians, the American Medical Informatics Association, Apple, IBM, Microsoft, the National Association of Accountable Care Organizations, and Rock Health for the innumerable patient benefits they offer. These benefits include (1) enabling seamless data exchange between patients and clinicians, (2) consolidating a person’s health information ideally in one place, and (3) potentially giving patients the opportunity for enhanced decision making through application programming interfaces (APIs), which could obtain patient preferences on medication and treatment plans (Blumenthal et al., 2019; Gleason and Dave, 2020; The Pew Charitable Trusts, 2020).

The CMS final rule expands health plans’ participation in the MyHealthEData initiative by requiring payers in CMS programs such as Medicaid, the Children’s Health Insurance Program, Medicare Advantage Plans, and Qualified Health Plans in the federally facilitated exchanges to do the following (CMS, 2020):

• Provide enrollees access to medical claims and other health information electronically through the implementation of open data-sharing technologies, and
• Participate in trust networks to improve interoperability.

To improve care coordination, the rule requires Medicaid- and Medicare-participating health care facilities to electronically inform hospitals and practitioners in a patient’s care network if and when that person has been admitted, discharged, or transferred. The CMS rules also set up a framework of accountability by proposing to publicly report providers or hospitals that intentionally partake in information blocking.

Extending the efforts of CMS, ONC’s final rules call for health systems to adopt standardized APIs based on Fast Healthcare Interoperability Resources standards and for health IT developers to stand up APIs that allow for the access and exchange of health information without any additional effort (ACEP, 2019; ONC, 2020a). ONC also provides clarity on the information blocking provisions in the 21st Century Cures Act by enumerating the eight conditions under which an organization can withhold data (ONC, 2020b):

1. Preventing harm,

1. Promoting the privacy of electronic health information,
2. Promoting the security of electronic health information,
3. Recovering costs reasonably incurred,
4. Responding to requests that are infeasible,
5. Licensing of interoperability elements on reasonable and nondiscriminatory terms,
6. Maintaining and improving health IT performance, and
7. Limiting the content and manner of responses.

ONC also puts forward a proposed, voluntary model for a nationwide trusted exchange framework through TEFCA; however, it is unclear what incentives will be available for health information networks to adopt it.

The impact of the rules remains uncertain, especially as enforcement has been delayed due to the coronavirus disease 2019 (COVID-19) pandemic (Miliard, 2020). When the ONC and CMS rules were released in their proposed state, a number of potential consequences were raised that could impede data sharing:

• The rules will force standardization of claims models integrated with clinical data models that are well vetted with Health Level Seven International (HL7).
• Data sharing could be hampered by organizations misapplying or exploiting the information-blocking exemptions. For example, according to a subcomponent of the “promoting the privacy of EHI [electronic health information]” exception, organizations could be allowed to limit information f low if they are abiding by “certain practices not regulated by HIPAA but which implement documented and transparent privacy policies” of the organization (Savage, 2019).
• For-profit organizations not covered by HIPAA could commercialize data being obtained through an API not tethered to a portal.
• Greater accessibility to claims data might increase people’s ability to submit fraudulent claims for services not provided or rendered.
• Given the ambiguity in the proposed rule and lack of definitive examples, there are also concerns that there will be a large number of unfounded complaints and resulting litigation.

These proposed rules have received significant comments from the private sector, as well as recommendations from the Federal Trade Commission regarding important adjustments “to ensure the final rule does not inadvertently distort

competition or impede innovation, to the detriment of consumer welfare” (FTC, 2019).

RESPONSIBLE ORGANIZATIONS

Many groups, both within and outside the stakeholder communities, will be responsible for implementing the action steps described above, including

• chief financial officers and chief medical officers contemplating the overall risks and benefits of data sharing;
• federal agencies, including the Office for Civil Rights;
• electronic health record vendors;
• Carequality;
• institutions doing research on data enclaves, such as The University of Texas and the University of California, San Diego;
• CARIN Alliance;
• DaVinci Project, HL7;
• institutions experimenting with using synthetic datasets, such as Intermountain Healthcare, Washington University, and MDClone;
• companies that monetize data, such as Harvard Stem Cell Institute;
• health information networks; and
• data aggregators and cloud providers, such as Verily, Microsoft, Health Catalyst, and Optum.